Best IT Recipes

XSS Prevention in Node.js / server side javascript

Any idea how one could prevent XSS attacks in a node.js application? Any libraries that handle javascript removal in hrefs, onclick attributes, etc. from the POSTed data?

I do not want to write a regex for all this :)

Any suggestions?

+57
xss serverside-javascript
Sep 14 2018-10-10T00:
source share
7 answers

One client-side response to Sanitize / Rewrite HTML suggests borrowing White List JS sanitizer from Google Caja, which, as far as I can scan using quick scrolling, implements an HTML SAX parser without relying on the DOM browser.

Update: Also, keep in mind that the Caja sanitizer appears to have received a complete professional security review, while regular expressions are known to be very easy to seal from a security point of view.

Update 2017-09-24: There is also DOMPurify . I haven't used it yet, but it looks like it matches or exceeds every point I'm looking for:

  • Depending on the capabilities provided by the runtime, it is possible. (It is important both for performance and for maximum security, relying on proven, mature implementations as much as possible.)

    • Based on browser DOM or jsdom for Node.JS.

  • The default configuration, designed as little as possible, although it guarantees the removal of javascript.

    • HTML, MathML, and SVG Support
    • Returns to proprietary, non-configurable Microsoft toStaticHTML for IE8 and IE9.

  • High configuration, which makes it suitable for limiting entry restrictions, which can contain arbitrary HTML code, for example, a WYSIWYG or Markdown comment field. (Actually, this is the top of the heap)

    • Supports the normal whitelist / attribute / blacklist and whitelist links attribute
    • It has special options for further disinfection of some common types of HTML metacharacters.

  • They take compatibility and reliability seriously.

    • Automated tests running in 16 different browsers, as well as three different major versions of Node.JS.
    • To keep CI developers and hosts on the same page, lock files are published.
+20
Sep 14 '10 at 3:15
source share

I created a module that binds Caja HTML Sanitizer

 npm install sanitizer

http://github.com/theSmaw/Caja-HTML-Sanitizer

https://www.npmjs.com/package/sanitizer

Any feedback is appreciated.

+53
Oct 29 '10 at 16:29
source share

All the usual methods apply also to the output of node.js, which means:

  • Blacklists will not work.
  • You should not filter input to protect HTML output. This will not work or will work without data corruption.
  • You must use HTML escape text in the HTML output.

I'm not sure that node.js comes with some built-in for this, but something like this should do the following task:

 function htmlEscape(text) { return text.replace(/&/g, '&amp;'). replace(/</g, '&lt;'). // it not neccessary to escape > replace(/"/g, '&quot;'). replace(/'/g, '&#039;'); }
+16
Dec 11 '10 at 23:24
source share

I recently discovered a node-validator chriso .

Example

 get('/', function (req, res) { //Sanitize user input req.sanitize('textarea').xss(); // No longer supported req.sanitize('foo').toBoolean(); });

XSS Function Fatigue

The XSS function is no longer available in this library.

https://github.com/chriso/validator.js#deprecations

+15
Dec 23 '10 at 22:23
source share

You can also see ESAPI . There is a javascript version of the library . It is quite durable.

+5
Sep 15 '10 at 23:51
source share

In newer versions of the validator module validator you can use the following script to prevent an XSS attack:

  var validator = require('validator'); var escaped_string = validator.escape(someString);
+3
Jan 31 '14 at 10:28
source share

Try the npm strip-js module. It performs the following actions:

  • Eliminates HTML
  • Removes script tags
  • Removes attributes such as "onclick", "onerror", etc. that contain JavaScript code
  • Removes href attributes containing JavaScript code

https://www.npmjs.com/package/strip-js

+1
Oct. 12 '16 at 15:31
source share


More articles:


All Articles